Analysis Date | 2015-10-11 17:00:27 |
---|---|
MD5 | 2c172bc9d6ecaf0933a5449595d0eaf9 |
SHA1 | b12b9612b14cea7c73728da47441584ca3bc50ce |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 34704244d9801f79c2ecc46e795d670d sha1: cc293483f9a1e2d9ae483c6b746509e2da317fa6 size: 803328 | |
Section | .rdata md5: 297db72c3c2ba9879c1a87589ce26ab4 sha1: de0e4f237dceba72a99beee50204fea107448878 size: 329216 | |
Section | .data md5: 989ffaf15813f0b452009d18b76050b5 sha1: 6e37b9c7143504ff18ad4076a3c60096a2e8630b size: 8192 | |
Section | .reloc md5: 25a031915037e38b5a5e394fc45406d7 sha1: 6abb3680cb74165e4a1c95203fa6646e418cb27b size: 59392 | |
Timestamp | 2015-02-06 21:03:35 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | fcf59429d46eab3beed4150db4c9aa34e98668d2 | |
IMPhash | 23a3148bc08ff289738f5a8fc4c5cc4a | |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Kazy.553443 |
AV | Dr. Web | no_virus |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Kazy.553443 |
AV | BullGuard | Gen:Variant.Kazy.553443 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | no_virus |
AV | Trend Micro | no_virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Zillya! | no_virus |
AV | Emsisoft | Gen:Variant.Kazy.553443 |
AV | Ikarus | Trojan.Win32.Crypt |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/SoxGrave.A.gen!Eldorado |
AV | MalwareBytes | no_virus |
AV | MicroWorld (escan) | Gen:Variant.Kazy.553443 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort!rfn |
AV | K7 | Trojan ( 004c77f41 ) |
AV | BitDefender | Gen:Variant.Kazy.553443 |
AV | Fortinet | W32/Kryptik.DDQD!tr |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Kryptik.CXVL |
AV | Alwil (avast) | Dropper-gen [Drp] |
AV | Ad-Aware | Gen:Variant.Kazy.553443 |
AV | Rising | no_virus |
AV | Twister | no_virus |
AV | Avira (antivir) | TR/Agent.1201152.10 |
AV | Mcafee | Trojan-FGIJ!2C172BC9D6EC |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\kmgodmnl50gulv2ssp7ax.exe |
---|---|
Creates File | C:\WINDOWS\system32\kysrkekwz\tst |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\kmgodmnl50gulv2ssp7ax.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\kmgodmnl50gulv2ssp7ax.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Secure Grouping Framework IKE DCOM ➝ C:\WINDOWS\system32\ipbhfhu.exe |
---|---|
Creates File | C:\WINDOWS\system32\kysrkekwz\lck |
Creates File | C:\WINDOWS\system32\drivers\etc\hosts |
Creates File | C:\WINDOWS\system32\ipbhfhu.exe |
Creates File | C:\WINDOWS\system32\kysrkekwz\etc |
Creates File | C:\WINDOWS\system32\kysrkekwz\tst |
Deletes File | C:\WINDOWS\system32\\drivers\etc\hosts |
Creates Process | C:\WINDOWS\system32\ipbhfhu.exe |
Creates Service | Topology Publication Backup Copy Image - C:\WINDOWS\system32\ipbhfhu.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 804
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf |
---|---|
Creates File | C:\WINDOWS\Prefetch\HCKPJWMHAKW.EXE-071894FD.pf |
Creates File | C:\WINDOWS\Prefetch\IPBHFHU.EXE-3A9745BE.pf |
Creates File | C:\WINDOWS\Prefetch\KMGODMNL50GULV2SSP7AX.EXE-15896EDD.pf |
Creates File | C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf |
Creates File | C:\WINDOWS\Prefetch\monitor.exe-1949D260.pf |
Creates File | C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf |
Creates File | C:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf |
Creates File | C:\WINDOWS\Prefetch\KMGODMNUSOGULV2.EXE-2B65D5B5.pf |
Creates File | C:\WINDOWS\Prefetch\B12B9612B14CEA7C73728DA474415-018A653A.pf |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
Creates File | C:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf |
Process
↳ Pid 1204
Process
↳ Pid 1320
Process
↳ Pid 1864
Process
↳ Pid 532
Process
↳ C:\WINDOWS\system32\ipbhfhu.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\system32\hckpjwmhakw.exe |
Creates File | C:\WINDOWS\system32\kysrkekwz\run |
Creates File | C:\WINDOWS\TEMP\kmgodmnusogulv2.exe |
Creates File | C:\WINDOWS\system32\kysrkekwz\cfg |
Creates File | C:\WINDOWS\system32\kysrkekwz\lck |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\system32\kysrkekwz\rng |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\system32\kysrkekwz\tst |
Deletes File | C:\WINDOWS\TEMP\kmgodmnusogulv2.exe |
Creates Process | WATCHDOGPROC "c:\windows\system32\ipbhfhu.exe" |
Creates Process | C:\WINDOWS\TEMP\kmgodmnusogulv2.exe -r 33697 tcp |
Process
↳ C:\WINDOWS\system32\ipbhfhu.exe
Creates File | C:\WINDOWS\system32\kysrkekwz\tst |
---|
Process
↳ WATCHDOGPROC "c:\windows\system32\ipbhfhu.exe"
Creates File | C:\WINDOWS\system32\kysrkekwz\tst |
---|
Process
↳ C:\WINDOWS\TEMP\kmgodmnusogulv2.exe -r 33697 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
DNS | queentell.net Type: A 208.91.197.241 |
---|---|
DNS | wednesdayhalf.net Type: A 208.91.197.241 |
DNS | mouthrest.net Type: A 208.91.197.241 |
DNS | drivethirteen.net Type: A 208.91.197.241 |
DNS | faceboat.net Type: A 208.91.197.241 |
DNS | muchhappy.net Type: A 208.91.197.241 |
DNS | callmile.net Type: A 208.91.197.241 |
DNS | visitlive.net Type: A 84.16.92.233 |
DNS | watchmine.net Type: A 74.86.188.172 |
DNS | fairserve.net Type: A 184.95.49.118 |
DNS | dreamhello.net Type: A 195.22.26.248 |
DNS | dreammine.net Type: A 195.22.26.248 |
DNS | dreamlive.net Type: A 208.48.81.134 |
DNS | dreamlive.net Type: A 64.15.205.100 |
DNS | dreamlive.net Type: A 64.15.205.101 |
DNS | dreamlive.net Type: A 208.48.81.133 |
DNS | thislive.net Type: A 208.100.26.234 |
DNS | dreamserve.net Type: A 46.30.212.89 |
DNS | southhouse.net Type: A 116.126.87.124 |
DNS | arivegift.net Type: A 195.22.26.252 |
DNS | arivegift.net Type: A 195.22.26.253 |
DNS | arivegift.net Type: A 195.22.26.254 |
DNS | arivegift.net Type: A 195.22.26.231 |
DNS | spothouse.net Type: A 81.169.145.88 |
DNS | salthouse.net Type: A 208.73.211.192 |
DNS | salthouse.net Type: A 208.73.211.195 |
DNS | salthouse.net Type: A 208.73.211.179 |
DNS | salthouse.net Type: A 208.73.211.183 |
DNS | groupgift.net Type: A 162.243.147.202 |
DNS | equalpeace.net Type: A 184.168.221.55 |
DNS | grouppeace.net Type: A 50.63.202.60 |
DNS | spokehouse.net Type: A 202.124.241.178 |
DNS | watchhouse.net Type: A 78.137.164.56 |
DNS | fairhouse.net Type: A 192.214.104.78 |
DNS | watchgift.net Type: A 184.168.221.16 |
DNS | dreamhouse.net Type: A 69.172.201.208 |
DNS | thishouse.net Type: A 207.148.248.143 |
DNS | dreamgift.net Type: A 98.126.32.242 |
DNS | ableread.net Type: A |
DNS | soilunder.net Type: A |
DNS | fearstate.net Type: A |
DNS | visithello.net Type: A |
DNS | spokemine.net Type: A |
DNS | visitmine.net Type: A |
DNS | spokelive.net Type: A |
DNS | spokeserve.net Type: A |
DNS | visitserve.net Type: A |
DNS | watchhello.net Type: A |
DNS | fairhello.net Type: A |
DNS | fairmine.net Type: A |
DNS | watchlive.net Type: A |
DNS | fairlive.net Type: A |
DNS | watchserve.net Type: A |
DNS | thishello.net Type: A |
DNS | thismine.net Type: A |
DNS | thisserve.net Type: A |
DNS | arivehouse.net Type: A |
DNS | southgift.net Type: A |
DNS | arivetuesday.net Type: A |
DNS | southtuesday.net Type: A |
DNS | arivepeace.net Type: A |
DNS | southpeace.net Type: A |
DNS | uponhouse.net Type: A |
DNS | whichhouse.net Type: A |
DNS | upongift.net Type: A |
DNS | whichgift.net Type: A |
DNS | upontuesday.net Type: A |
DNS | whichtuesday.net Type: A |
DNS | uponpeace.net Type: A |
DNS | whichpeace.net Type: A |
DNS | spotgift.net Type: A |
DNS | saltgift.net Type: A |
DNS | spottuesday.net Type: A |
DNS | salttuesday.net Type: A |
DNS | spotpeace.net Type: A |
DNS | saltpeace.net Type: A |
DNS | gladhouse.net Type: A |
DNS | takenhouse.net Type: A |
DNS | gladgift.net Type: A |
DNS | takengift.net Type: A |
DNS | gladtuesday.net Type: A |
DNS | takentuesday.net Type: A |
DNS | gladpeace.net Type: A |
DNS | takenpeace.net Type: A |
DNS | equalhouse.net Type: A |
DNS | grouphouse.net Type: A |
DNS | equalgift.net Type: A |
DNS | equaltuesday.net Type: A |
DNS | grouptuesday.net Type: A |
DNS | visithouse.net Type: A |
DNS | spokegift.net Type: A |
DNS | visitgift.net Type: A |
DNS | spoketuesday.net Type: A |
DNS | visittuesday.net Type: A |
DNS | spokepeace.net Type: A |
DNS | visitpeace.net Type: A |
DNS | fairgift.net Type: A |
DNS | watchtuesday.net Type: A |
DNS | fairtuesday.net Type: A |
DNS | watchpeace.net Type: A |
DNS | fairpeace.net Type: A |
DNS | thisgift.net Type: A |
DNS | dreamtuesday.net Type: A |
DNS | thistuesday.net Type: A |
HTTP GET | http://queentell.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://callmile.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://visitlive.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://watchmine.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://fairserve.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://dreamhello.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://dreammine.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://dreamlive.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://thislive.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://dreamserve.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://southhouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://arivegift.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://spothouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://salthouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://groupgift.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://equalpeace.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://grouppeace.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://spokehouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://watchhouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://fairhouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://watchgift.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://dreamhouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://thishouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://dreamgift.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://queentell.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
HTTP GET | http://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent: |
Flows TCP | 192.168.1.1:1037 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1038 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1039 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1040 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1041 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1042 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1043 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1044 ➝ 84.16.92.233:80 |
Flows TCP | 192.168.1.1:1045 ➝ 74.86.188.172:80 |
Flows TCP | 192.168.1.1:1046 ➝ 184.95.49.118:80 |
Flows TCP | 192.168.1.1:1047 ➝ 195.22.26.248:80 |
Flows TCP | 192.168.1.1:1048 ➝ 195.22.26.248:80 |
Flows TCP | 192.168.1.1:1049 ➝ 208.48.81.134:80 |
Flows TCP | 192.168.1.1:1050 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1051 ➝ 46.30.212.89:80 |
Flows TCP | 192.168.1.1:1052 ➝ 116.126.87.124:80 |
Flows TCP | 192.168.1.1:1053 ➝ 195.22.26.252:80 |
Flows TCP | 192.168.1.1:1054 ➝ 81.169.145.88:80 |
Flows TCP | 192.168.1.1:1055 ➝ 208.73.211.192:80 |
Flows TCP | 192.168.1.1:1056 ➝ 162.243.147.202:80 |
Flows TCP | 192.168.1.1:1057 ➝ 184.168.221.55:80 |
Flows TCP | 192.168.1.1:1058 ➝ 50.63.202.60:80 |
Flows TCP | 192.168.1.1:1059 ➝ 202.124.241.178:80 |
Flows TCP | 192.168.1.1:1060 ➝ 78.137.164.56:80 |
Flows TCP | 192.168.1.1:1061 ➝ 192.214.104.78:80 |
Flows TCP | 192.168.1.1:1062 ➝ 184.168.221.16:80 |
Flows TCP | 192.168.1.1:1063 ➝ 69.172.201.208:80 |
Flows TCP | 192.168.1.1:1064 ➝ 207.148.248.143:80 |
Flows TCP | 192.168.1.1:1065 ➝ 98.126.32.242:80 |
Flows TCP | 192.168.1.1:1066 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1067 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1068 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1069 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1070 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1071 ➝ 208.91.197.241:80 |
Raw Pcap
Strings